Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

LXC doesn't have a Dockerfile concept though.

I think a Dockerfile as a recipe for an environment is pretty elegant.

I've used LXC with proxmox and managing what's in a container is kind of like being a sysadmin.



Docker is cattle, LXC is pets.

Docker packages applications, and should only really have one app inside it. LXC is similar to a vm in it presents itself as a stand-alone machine but uses the host kernel, it’s not like a vm in it’s not as isolated as sharing the host kernel.

So with LXC I agree, managing it is like being a sysadmin as that’s what it’s designed to be.

I use Docker for things that are stateless, maybe throw away, or just test an app quickly. I use LXC for things I want to run multiple services inside, more statefull, typically where people plumb a bunch of Docker images together in I’ll use LXC. The advantage in Proxmox is I tell Proxmos to backup my LXC nightly as it’s treated similar to a VM.

For making LXC feel less like needing to be a sysadmin, you can use Nix to build your LXC images and import in to Proxmox. Your LXC container becomes declarative and not to dissimilar to using a Dockerfile, it’s a far more powerful Dockerfile. What I’ve done is create a bare minimal NixOS LXC with some basic config and use that as a template then edit ‘/etc/nixos/configuration.nix’ inside the LXC on first boot. However as it’s just nixos you can build push the config remotely, use NixOps etc.

It’s a really good workflow using NixOS with LXC however it took me a while to get it as the docs are a bit thin and an old+new version of docs with the new version skipping things mentioned in the old you need to do, I.e change the tty to /dev/console to get a shell inside proxmox console.


I have never really looked into LXC. How strong are the security guarantees? Presumably less isolated than a real VM, but with significantly better performance?

I have started to run more and more software inside a VM for better security isolation, but the loss of performance is pretty discouraging. For things that are probably fine, I might be willing to trade some theoretical security benefits.


There is an LXC provider for vagrant, which gets you the one-file concept, with the benefits that not everyone on the project has to use LXC, they just need a provider that works on their host for the specified base box.

This is vagrants' real superpower.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: